Ey segregation of_duties
Post on 14-Apr-2017
Embed Size (px)
A risk-based approach to segregation of duties
Insights on governance, risk and compliance
The complexity of todays enterprise systems leaves many companies struggling with the basic internal control of segregation of duties.
1Insights on governance, risk and compliance | May 2010
Segregation of Duties (SoD) is top of mind for many professionals, from compliance managers to executive-level officers. The increased interest in SoD is due, in part, to control-driven regulations worldwide and the executive-level accountability for their successful implementation. However, the underlying reason for these regulations is more important: no individual should have excessive system access that enables them to execute transactions across an entire business process without checks and balances. Allowing this kind of access represents a very real risk to the business, and managing that risk in a pragmatic, effective way is more difficult than it seems.
If this concept is common sense, why do so many companies struggle with SoD compliance and why does it repeatedly stifle information technology (IT), internal audit and finance departments? In large part, the difficulty rests in the complexity and variety of the systems that automate key business processes, and the ownership and accountability for controlling those processes.
SoD is a basic internal control that attempts to ensure no single individual has the authority to execute two or more conflicting sensitive transactions with the potential to impact financial statements. Without proper guidance and a sound approach, SoD implementation, testing, remediation and mitigation may appear to be extremely difficult to achieve. However, a risk-based approach can make the effort manageable for a company of any size.
Companies dont need to create complex role structures or undertake expensive system overhauls in order to meet SoD compliance and the principle of least privilege. By focusing on the transactions that pose the greatest risk to the business, a company can quickly understand the issues related to access and determine at a level that satisfies management and audit parties that appropriate steps are being taken to remedy and mitigate the root causes of the issues.
This document outlines a practical, risk-based approach to SoD compliance.
2 Insights on governance, risk and compliance | May 2010
Proper SoD is a long-established method of preventing fraud and maintaining checks and balances within a company. However, the recent regulatory focus on public companies has driven businesses to truly understand what access their employees have within their application portfolio. Control-driven regulations, like Sarbanes-Oxley in the United States for instance, have not only imposed an unprecedented rigor around controls, they also underscore the importance of an integrated IT and financial controls approach to managing risk within a company.
Across the globe, existing and proposed regulations continue to bring the issue of SoD and controls to the forefront of agendas for auditors and executives alike. These include the European Unions 8th Directive, which is viewed to some degree as Europes SOX equivalent; J-SOX, the Japanese Sarbanes-Oxley version; and Basel II, which addresses the method that financial institutions use to calculate capital adequacy and its alignment with the companys risk profile.
The list of regulations continues to grow, and in response, compliance initiatives expand and consume corporate resources. As companies continually rationalize spending and optimize budgets, a pragmatic, balanced approach to internal controls is expected. Regulators have listened to companies needs in order to move towards legislation and guidance that balances the level of effort required to understand risk. An example is the release of Public Accounting Oversight Board (PCAOB) Auditing Standard No. 5, which pushed companies and their auditors to focus more on risk and significant concerns that could affect the business and financial statements; a clear message that a risk-based methodology is fundamental to an effective and efficient internal control framework.
In summary, not implementing SoD as part of a robust framework puts the organization at risk of failing to meet regulatory and compliance requirements. But this is not the only risk.
The cost of fraud and other internal control failures is well documented in dollar values, which is where the cost starts to feel more real. In addition, other costs are often hidden, such as:
Lost shareholder value because the market no longer has confidence in the organization
Missed business opportunities because your organizations credit rating changes and financing becomes more expensive
Costs to recover from reputational damage
A risk-based approach enables organizations to manage but not entirely mitigate these risks in a balanced and efficient way that reflects the value that is being protected.
Business drivers and regulatory compliance
3Insights on governance, risk and compliance | May 2010
A risk-based methodology, such as the one discussed in this document, focuses on the issues that pose the greatest threat to the business and its financial statements. Whether the drivers for investing in SoD compliance are regulatory compliance, fraud prevention or a new ERP system, a company cannot eliminate every potential risk. Rather, the goal is to hone in on the risks that threaten pre-defined thresholds of value. These are typically determined at the outset of the SoD initiative. Materiality, fraud thresholds or financially significant limits quantifying the impact of realization of financial, operational or reputational risks are examples of thresholds that serve to measure the financial sensitivity of SoD conflicts.
SoD dictates that problems such as fraud, material misstatement and financial statement manipulation have the potential to arise when the same individual is allowed to execute two or more conflicting sensitive transactions. Sensitive transactions drive processes with the potential to impact a companys financial statements, operational activities or market reputation. Many companies strive for zero SoD conflicts in their user population, though this is often unachievable, unsustainable and unrealistic given the number of employees within a typical business function. Separating discrete job responsibilities into task-oriented roles can often result in inefficiencies and unnecessary costs.
Ultimately, it is critical for the company to understand and assess the landscape of current conflicts, reduce them to the extent possible for a given staffing model (via remediation initiatives) and apply mitigating controls to the remaining issues. This approach does not yield zero SoD conflicts, but demonstrates that management has evaluated existing conflicts and reduced residual risk to an acceptable level through tested and controlled processes. Typically, this solution is palatable to auditors, regulators and financial reporting stakeholders alike, and promotes the awareness of risk beyond a compliance-only exercise.
A risk-based methodology
SoD glossary Materiality the financial threshold or impact a potential SoD conflict can have
over a companys financial statements
Principle of least privilege the concept that system users should have access to only the resources absolutely necessary to perform their job responsibilities
Segregation of duties (SoD) an internal control that attempts to ensure that no single individual should have control over two or more conflicting sensitive transactions
Sensitive transaction a business transaction with the potential to impact a companys financial statements
SoDconflict the pairing of two conflicting sensitive transactions or business activities
4 Insights on governance, risk and compliance | May 2010
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
Most successful SoD initiatives consist of five phases: business definition, technical definition, testing, mitigation and remediation.
The SoD roadmap
Phase1:BusinessdefinitionThe objective of this phase is to gain an understanding of the scope of sensitive transactions and conflicts that drive the companys key business processes. These are also the transactions that pose the greatest fraud risk to the organization should someone possess excessive access. During this phase, thresholds are determined based on the risk and impact to the company for each potential SoD conflict pairing.
As this step lays the foundation for everything that follows; proper execution is critical. Many companies fail in this early stage by taking on too many conflict pairings that do not meet the threshold level of risk, resulting in onerous requirements that ultimately cannot be met or are excessively costly for the risks they are attempting to manage. For example, a company may be concerned with allowing the same individual to both create a vendor purchase order and modify the customer pricing master file. However, the combination of the two may constitute such a low risk that it does not warrant inclusion in the companys conflict matrix. It might be more appropriate to include potential conflicts for a user who could modify the vendor master file, create a vendor purchase order and issue payment to vendors as the combination represents the higher risk to the company.
The output of the business definition phase is a matrix of potential conflicts, independent of the supporting IT application driving each transaction, but including the corres